External User Sent a Message to a Skype for Business User, but User was not part of his Contacts?

%3CLINGO-SUB%20id%3D%22lingo-sub-83325%22%20slang%3D%22en-US%22%3EExternal%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83325%22%20slang%3D%22en-US%22%3E%3CP%3EWe're%20currently%20using%20Skype%20for%20Business%202016%20in%20our%20Domain%2C%20and%20we%20recently%20had%20a%20user%20receive%20a%20message%20from%20an%20External%20user%2C%20and%20started%20to%20have%20a%20conversation.%20%26nbsp%3BOur%20internal%20user%20at%20first%20thought%20it%20was%20an%20internal%20client%2C%20and%20just%20so%20happen%20to%20be%20involved%20with%20the%20information%20the%20External%20client%20was%20chatting%20about.%20%26nbsp%3BLuckily%2C%20our%20internal%20client%20realized%20that%20it%20wasn't%20an%20internal%20client%20and%20promptly%20Blocked%20the%20user.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EMy%20question%20is%2C%20how%20was%20the%20external%20user%20able%20to%20connect%20with%20one%20of%20our%20internal%20clients%20even%20though%20this%20user%20was%20not%20in%20his%20contact%20list%2C%20and%20never%20had%20any%20interaction%20with%20this%20user%3F%20%26nbsp%3BWe%20did%20check%20the%20internal%20user's%20contact%20list%20or%20possibly%20any%20other%20interaction%20and%20found%20none.%20%26nbsp%3BI%20also%20tested%20by%20sending%20the%20internal%20user%2C%20a%20message%20via%20an%20external%20user%20account%20(using%20my%20peronsal%20Skype)%2C%20while%20it%20did%20add%20my%20account%20to%20his%20contact%20list%2C%20my%20messages%20didn't%20reach%20the%20internal%20user.%20%26nbsp%3BWhen%20the%20internal%20user%20clicked%20on%20my%20external%20account%2C%20it%20prompted%20to%20eithe%20accept%20the%20user%20or%20reject.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAny%20information%20or%20insight%20that%20you%20can%20provide%20is%20greatly%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%2C%3C%2FP%3E%3CP%3EAnthony%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-83325%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EDesktop%20Client%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83901%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83901%22%20slang%3D%22en-US%22%3E%3CP%3E%22Allow%20Invites%22%20controls%20a%20consumer%20Skype%20user's%20ability%20to%20connect%20with%20your%20Skype%20for%20Business%20account%20but%20it%20%3CU%3Edoesn't%20affect%20an%20external%20Skype%20for%20Business%20user's%3C%2FU%3E%20ability%20to%20connect%20with%20you.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ESkype%20for%20Business%20(company%20a)%20to%20Skype%20for%20Business%20(company%20b)%20communication%20is%20controlled%20by%20federation%20rules.%3C%2FP%3E%3CP%3E-%20Open%20Federation%20means%20that%20any%20Skype%20for%20Business%20or%20Lync%20user%20from%20any%20SIP%20domain%20can%20communicate%20with%20you%20by%20knowing%20your%20SIP%20URI%20(usually%20email%20address).%3C%2FP%3E%3CP%3E-%20Closed%20Federation%20prevents%20this%2C%20however%20many%20companies%20whitelist%26nbsp%3Bspecific%20SIP%20domains.%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20would%20pull%20the%20logs%20from%20the%20IM%2C%20find%20this%20external%20user's%20SIP%20URI%2C%20and%20check%20if%20your%20company%20has%20federated%20with%20this%20SIP%20domain.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83891%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83891%22%20slang%3D%22en-US%22%3EChecked%20user%20settings%2C%20and%20those%20are%20set%20to%20%22allow%20invites%20but%20block%20all%20other%20communications%22%2C%20so%20we're%20at%20a%20lost%20how%20this%20user%20was%20able%20to%20just%20start%20a%20chat%20session%20with%20our%20internal%20user.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83596%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83596%22%20slang%3D%22en-US%22%3EWe%20checked%20and%20we%20don't%20have%20an%20Open%20Federation%2C%20and%20duly%20noted%20and%20double%20posting!%20We're%20now%20checking%20if%20the%20user%20changed%20his%20settings%20on%20the%20client%20side%20of%20things%2C%20under%20Alerts.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-83482%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-83482%22%20slang%3D%22en-US%22%3E%3CP%3EMaybe%20do%20you%20have%20an%20Open%20Federation%3F%20And%20please%2C%20do%20not%20ask%20the%20same%20question%20in%202%20different%20%22Spaces%22.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-544325%22%20slang%3D%22en-US%22%3ERe%3A%20External%20User%20Sent%20a%20Message%20to%20a%20Skype%20for%20Business%20User%2C%20but%20User%20was%20not%20part%20of%20his%20Contacts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-544325%22%20slang%3D%22en-US%22%3ESame%20thing%20just%20happened%20to%20us.%20We%20are%20not%20open%20federated%20and%20this%20external%20user%20is%20most%20definitely%20not%20on%20out%20allow%20list.%20Someone%20must%20have%20found%20a%20exploit.%3C%2FLINGO-BODY%3E
Occasional Contributor

We're currently using Skype for Business 2016 in our Domain, and we recently had a user receive a message from an External user, and started to have a conversation.  Our internal user at first thought it was an internal client, and just so happen to be involved with the information the External client was chatting about.  Luckily, our internal client realized that it wasn't an internal client and promptly Blocked the user.

 

My question is, how was the external user able to connect with one of our internal clients even though this user was not in his contact list, and never had any interaction with this user?  We did check the internal user's contact list or possibly any other interaction and found none.  I also tested by sending the internal user, a message via an external user account (using my peronsal Skype), while it did add my account to his contact list, my messages didn't reach the internal user.  When the internal user clicked on my external account, it prompted to eithe accept the user or reject.

 

Any information or insight that you can provide is greatly appreciated.

 

Thanks,

Anthony

5 Replies

Maybe do you have an Open Federation? And please, do not ask the same question in 2 different "Spaces". 

We checked and we don't have an Open Federation, and duly noted and double posting! We're now checking if the user changed his settings on the client side of things, under Alerts.
Checked user settings, and those are set to "allow invites but block all other communications", so we're at a lost how this user was able to just start a chat session with our internal user.

"Allow Invites" controls a consumer Skype user's ability to connect with your Skype for Business account but it doesn't affect an external Skype for Business user's ability to connect with you. 

 

Skype for Business (company a) to Skype for Business (company b) communication is controlled by federation rules.

- Open Federation means that any Skype for Business or Lync user from any SIP domain can communicate with you by knowing your SIP URI (usually email address).

- Closed Federation prevents this, however many companies whitelist specific SIP domains. 

 

I would pull the logs from the IM, find this external user's SIP URI, and check if your company has federated with this SIP domain. 

Same thing just happened to us. We are not open federated and this external user is most definitely not on out allow list. Someone must have found a exploit.